Session management within Internet Explorer 8.0

Veena again, back with a discussion on session management in IE8. Many application developers expect that they lose their session when they close the IE window. So when the user launches a new instance of IE, they expect that the user is shown the login screen. However, to their surprise, this doesn’t happen automatically with IE8. IE8 is actually behaving as expected and I will attempt to explain why.

Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. This has been the behavior always although our mechanics for which windows share a session has changed in IE8. For example, in IE6 and IE7, there were several ways to launch new windows, some of which gave you a new session, others of which did not.

Click IE shortcut from desktop, start->run -> New Session

Run iexplore.exe -> New Session

Click File->New Window -> Same session

Click “Open link in new tab” (IE7) -> Same session

Click “Open link in new window” -> Same session

Window.open() -> Same session

As you can see, even in IE7, closing the browser window does not guarantee that your session and credentials would be destroyed. As you may already be aware, many architectural changes were put into IE8. One such change, was to unify the session model and improve performance. For More information please review MSDN IE Blog Title: IE8 and Reliability – http://blogs.msdn.com/b/ie/archive/2008/07/28/ie8-and-reliability.aspx.

So what if I want the old behavior back? Well, there are three ways available:

In summary, having the user close the browser window has never been sufficient to ensure that the session is destroyed. If the user had another window open in the same session, then that window would still effectively be logged in. However, if the user clicks “Log off” in the application before closing the window, the application CAN clear any credentials in the session, either by deleting session cookies (if that’s the authentication mechanism), or by deleting all of the credentials in the session via document.execCommand(ClearAuthenticationCache, false). If the application code does this, the user will not need to close the window to complete the logging out process. So next time they browse to it in another window that’s sharing the session, they should see the login screen as expected.

If two windows shave a session and one is closed then, no don’t close the session. If all instances close then yes the session closes.

Secure session cookies rely on this behaviour.

The expected user behaviour, whether you like it or not, is that closing a browser closes a login. Putting a logout button is zero gaurentee that the user will click it. You can engineer code, but you can’t engineer your users.

"Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application. Because this clearly will not work if there is another window that is sharing the session. "

True, buy why, pray say, session isn’t cleared for one application if I close its window, but keep another window, pointing to a completely different application, on different server in different DOMAIN?!

Do try this: Login to any app that that require login and keep user’s info in session. Open a new browser, and point it anywhere completely unrelated (link to this article will do). Close original app window. Open new browser window and go to that app URL. Surprise, surprise, you’re still logged on.

"Relying on closing the window to clear the session is not a recommended way to implement proper logoff for an application"

Are you aware that 99.9% of all users will simple close browser window instad of going thru logout process even if it takes only one click? And in many scenarious, including one above – they will stay logged in.

I am facing one problem in my project. The scenario is, I have 2 different applications which are running on the same host and webserver but on diffrenet application servers. The problem is that when I logoff from one application, automatically the other also getting signed out. And to my wonder this is happening only with IE8. All the below versions dont have any issues..

Hi there, hope someone can help. I'm having a siteminder issue with IE8. I use multiple sites simultaneously that require my credentials & with IE8, I am automatically logged off of one site the second I open up another tab that requires a log in. I was able to use the command "-noframemerging" to help avoid this issue when using seperate Windows, but I would like to keep one window open & utilize the Tabs instead. It's much easier when needing 5+ sites open at once to just use tabs but unfortunatley with this issue, I can't unless I want to log in to each site EVERY time I switch back & forth between tabs. Please help!

I've tried all of your examples above, but I cannot get "Run iexplore.exe -> New Session" to create session. After opening 2 windows, go to the Tools | Developer Tools (F12). Then click on the Cache | View Cookie Information, then search for the JSESSIONID, you will find that they are the same (at least they are for me). I'm not sure how to work around this, my clients want to be able to edit in two different sessions.

I have windowsXPSP3 and Windows7 SP1 and I'm getting the same so please anyone has solution to help as all options from microsoft don't work with opening segregate sessions or what we call it no framemerg

If you open an application in IE session, one that authenticates the user id in the session. Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL fails, because an existing user is already logged in.

If you open a an application is IE session one that authenticates the user id is session. Then File>New Session – Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL fails, because the clicking of the mouse (os ) is looking for the 1st session opened.

If you open a an application is IE session one that authenticates the user id is session. Then File>New Seesion – Then, try to launch a URL survey from same application (by copy paste), works.

If you open 2 new session, and in second session – open a an application is IE session one that authenticates the user id is session. Then, try to launch a URL survey from same application (clicking with mouse) which uses a different id, the URL works, because the clicking of the mouse (os ) is looking for the 1st session opened.

What is the work around, to have the clicking on URL , start is the last session openned?